In this presentation, Huiming Liu, the researcher of Tencent Security Xuanwu Lab, will present an astonishing mobile wireless zombie(Wombie) attack demo — the smartphone viruses spread like zombies in “Resident Evil”, and the technique details will also be explained. The Wombie doesn’t rely on Internet to spread, so it can’t be detected on the internet. Besides, it can serve as an attack amplifier for many other attack methods. For example, the recent KRACK attack about WPA2 will benefit a lot if combined with the Wombie Attack.
8. Patch Firware? Why?
• In a word, Launch Karma attack on a smartphone
• Karma Attack
• If you have ever connected to a WiFi, Your devices will frequently send probe request to find it.
• Many devices will automatically connect if get correct responses, which is very easy to forge when the
devices send directed probes.
• Then, the devices may become MITM victims
• How about on Latest smartphones?
9. Karma Attack! But on Android?
• Latest Android Versions won’t send directed probe normally
• However
• All of them will send BROADCAST probe…we can use SSID dictionary to launch Karma Attack.
• Add a network manually will STILL send directed probe
• Some ROMs will send directed probe MISTAKENLY
• How about being an attacker
• WiFi chip on the SmartPhones can be both in STA and AP mode
• SmartPhones are essentially mobile and of massive amount
• If we can make the victim attack and infect another victim. The situation will be much worse
10. Patch Firware to Make phone infectious – How?
• Reverse Engineering the firmware
• Patch Probe Request Handler
• Patch Association Request Handler
12. Instead, Forward Probe Request to Firmware Layer and Response!
• Patch 1 line in UCODE to forward to firmware
• hook sub_19610E
• Call wlc_bcn_prb_template to generate template
• Modify dst mac and ssid
14. Patch Association Request Handler (Nexus 6p) -- How?
• All required Information Elements’ parse function pointers are stored in an array dynamically created in Firmware(RAM)
• Information Element SSID’s parse function is implemented in ROM (Hard to Modify)
• So, we choose to modify the firmware instead of the ROM
• hook a function(sub_1B03AC) in Firmware
• Implement a SSID’s parse function
• Replace its original parse function pointer with our new function pointer
• Nexmon
• C-based Firmware Patching Framework for Broadcom/Cypress WiFi Chips that enables Monitor Mode, Frame Injection and much more
16. Wombie Attack Process
• Step1: Launch Karma attack to MITM other phones.
• Step2: Get RCE by exploiting the vulnerabilities in the victims’ smartphones
• Step3: Get Root Access and modify the firmware and set attack environment.
• Step4: The victim infects another victim
17. What’s Inside Wireless Zombie?
• 1. Background AP
• 2. MITM module
• 3. Exploit and Environment Setup module
Background AP
Traffic Hijack
Module
Exploit
Payloads
18. • Google’s Latest data (OCT 2017):
• Android version <=5.x 50%
• Latest Android Release Version 0.2%
• Version <= 4.x 22.3%
How to get RCE/ROOT? Android Fragmentation!
19. Impact
• Invisible Attack:
• Doesn't rely on Internet to spread, so we can't detect it on the internet
• Magnifier:
• Easier to exploit & more severe consequences
20. Combined with Krack(ATTACK WPA2)?
• Krack attack’s preconditions can be satisfied within our attack model.
• Preconditions
• Clone original wifi to a different channel
• Monitor, block and send specific message
• The way we can make it in our model
• Nexmon to Intercept Packets. (OK)
• Like running tcpdump in monitor mode and airbase-ng in the same time. (OK)
• But the Exploit Scripts are not released now
• Krack attack to WPA2 can be combined with our karma attack to launch and spread more easily
21. Conclusion
• 1. Karma attack to smartphone is very dangerous due to android fragmentation and the smartphone’s mobility.
• 2. To defend against this attack model, we must working with system security, wireless security, hardware security
• 3. There’s no absolute security. Apart from the vendor’s effort, the users also need to pay more attention.